Publisher data protection agreement

1.1 Capitalised terms used in this DPA shall have the meanings given to them in the Agreement. All other capitalised terms used in this DPA (which are not defined in the Agreement) shall have the meanings given to them as follows:

“Controller” has the meaning given to that term in the Data Protection Laws;

“Data Protection Laws” means (a) the EU GDPR and the UK GDPR as applicable; (b) the DPA 2018; (c) EC Directive 2002/58/EC on Privacy and Electronic Communications; (d) The Privacy and Electronic Communications (EC Directive) Regulations 2003 and (e) all local laws or regulations implementing or supplementing the foregoing legislation and all other laws concerning the processing or protection of Personal Data; and (e) all binding codes of practice and guidance issued by national regulators relating to aforementioned laws and regulations;

• “Data Subject” has the meaning given to that term in the Data Protection Laws;
• “DPA 2018” means the UK Data Protection Act 2018;
• “EEA” means the European Economic Area;
• “EU GDPR” means Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
• “IAB TCF ” means the IAB Europe Transparency & Consent Framework published by the Interactive Advertising Bureau Europe as amended from time to time;
• “Joint Controller” has the meaning given to it in Article 26 of the EU GDPR and/or UK GDPR as applicable;
• “Joint Controller Terms” means the terms set out in Annex 1 to this DPA;
• “Ozone Privacy Notice” means Ozone’s Platform Privacy Notice which is located at https://ozoneproject.com/platform-privacy (as may be updated by Ozone from time to time);
• “Personal Data Breach” has the meaning given to it in the Data Protection Laws;
• “Personal Data” has the meaning given to that term in the Data Protection Laws;
• “Processor Terms” means the terms set out in Annex 2 to this DPA;
• “Publisher Privacy Notice” has the meaning given to it in clause 3.1(a) of this DPA;
• “UK GDPR” has the meaning given to it in the DPA 2018.

2.1 The Parties may agree Service Orders from time to time (which incorporate this DPA). Notwithstanding any other provisions of this DPA or the Agreement, each party shall:

• (a) comply with the obligations imposed on it by applicable Data Protection Laws;
• (b) provide each other with reasonable cooperation and assistance in respect of any (i) communication issued or investigation initiated by a supervisory authority or (ii) any request or complaint from a User, in each case which relates to the Services; and
• (c) comply with its respective obligations with respect to Security Breaches contained in the Agreement, including without limitation notifying the other party of Security Breaches without undue delay after becoming aware of the same, and in any event within 24 hours after becoming aware. For the purposes of this DPA and the Agreement, the parties acknowledge and agree that a Personal Data Breach shall constitute a Security Breach (as defined in the Agreement).

3.1 Publisher shall:

• (a) publish, on each Publisher Property, a privacy notice that satisfies Publisher’s obligation to comply with its transparency obligations contained in the Data Protection Laws (“Publisher Privacy Notice(s)”);
• (b) expressly name Ozone in the Publisher Privacy Notice(s) (including where such Privacy Notice is made available as part of a consent management platform implemented in accordance with Data Protection Laws) as a party for whom, and by whom, Personal Data about the User is collected through the Publisher Properties and include in such Publisher Privacy Notice(s) clear and prominent links to the Ozone Privacy Notice (to enable Ozone to fulfil its own transparency obligations contained in the Data Protection Laws) and any opt-out mechanisms operated by Ozone, in each case as notified to Publisher by Ozone;
• (c) for and on behalf of Ozone and any applicable Ad Partners, obtain, and on reasonable request evidence, valid consent for cookies (and/or similar technologies) of Ozone and any applicable Ad Partners to be set on and accessed from devices that are used by Users when they visit each of the Publisher Properties together with any other Personal Data which may be transferred from the Publisher to Ozone as part of the Services, in each case as may be required by Data Protection Laws;
• (d) assist Ozone as reasonably necessary to enable Ozone and any applicable Ad Partner to demonstrate that it has a lawful basis for processing the Personal Data relating to Users of the Publisher Properties for the purposes of performing the applicable Services described in the applicable Service Order; and
• (e) on and in respect of each Publisher Property, implement appropriate technical measures (such as cookie banners and consent management platforms), and adopt the IAB TCF (and/or such other framework or policy which complies with Data Protection Laws) for the purposes of ensuring that:
• (i) Ozone and Ad Partners are able to comply with their respective obligations under the Data Protection Laws; and
• (ii) Publisher complies with its obligations under the Data Protection Laws as well as its obligations set out in this DPA.

4.1 The parties acknowledge and agree that as part of its provision of the Services, Ozone will process certain Personal Data relating to Users, which, depending on the specific Services to be provided under the applicable Service Order, will include the following: first and third party identifiers including IP address, device ID, a Publisher first party cookie (named: “pubcid”), an Ozone third party cookie, a Publisher internal ID (where supplied), an Ozone Ad Partner ID, user page-view data, bid requests, bid responses, win notices, and other user identifiers as may be agreed with and provided by the Publisher in connection with the Services (including for example hashed email addresses (“HEMs”)).

4.2 Ozone and Publisher acknowledge that the status of each party is a matter of fact under Data Protection Laws. Notwithstanding the foregoing, the Parties acknowledge and agree that:

• (a) the Publisher acts as a separate and independent controller in relation to the processing by it of any Personal Data relating to Users prior to the commencement of, or which is independent of, the Services;
• (b) where Ozone processes the data referred to in clause 4.1 to (i) map such data to the Ozone ID, (ii) leverage’s Ozone’s Ad Partners, and/or (iii) activate cross-publisher audience segments, in each case as part of the Services, the parties will act as Joint Controllers in relation to such processing;
• (c) where Ozone processes the data referred to in clause 4.1 without (i) utilising the Ozone ID and/or (ii) leveraging Ozone’s Ad Partners, for example where Ozone activates the Publisher’s Ad Partners instead of leveraging Ozone’s Ad Partners, in such cases the Publisher shall act as the Controller and Ozone will act as the Publisher’s Processor in relation to such processing; and
• (d) in relation to any other processing by Ozone of the data referred to in clause 4.1, Ozone shall act as a separate and independent controller.

4.3 Without prejudice to the general requirements in clause 2 and 3 of this DPA, in respect of any processing where, in accordance with clause 4.2 above: (a) the parties act as Joint Controllers, then in such case the Joint Controller Terms attached at Annex 1 to this DPA shall also apply; and/or (b) the Publisher acts as a Controller and Ozone acts as the Publisher’s Processor, the Processor Terms attached at Annex 2 to this DPA shall also apply.

5.1 The parties acknowledge and agree that the limitations and exclusions of liability in the Agreement shall apply in respect of this DPA.

5.2 Where, in accordance with the provisions Article 82 of the EU GDPR or UK GDPR both parties are responsible for the act, or omission to act, resulting in the payment of Losses by a party, or both parties, then a party shall only be liable for that part of such Losses which is in proportion to its respective responsibility.

5.3 Each party shall indemnify the other against all Losses suffered or incurred by the indemnified party arising out of or in connection with a breach of the Data Protection Laws by the indemnifying party, its employees or agents.

5.4 The indemnified party shall give to the indemnifying party prompt notice of such claim, full information about the circumstances giving rise to it, reasonable assistance in dealing with the claim and, to the extent permitted by the Data Protection Laws and the applicable supervisory authority, sole authority to manage, defend and/or settle it.

6.1 This DPA and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims) shall be governed by and construed in accordance with English law.

6.2 Each party irrevocably agrees to submit to the exclusive jurisdiction of the courts of England in relation to any claim or matter arising out of or in connection with this DPA (including non-contractual disputes or claims).

General

1.1 Where the parties act as Joint Controllers pursuant to this DPA, then in such case these Joint Controller Terms shall apply.

1.2 Each party agrees to comply with these Joint Controller Terms and acknowledges that, except as expressly stated otherwise in this DPA or as required by applicable Data Protection Law, it is (as between the parties) solely responsible for ensuring that it meets all of its obligations under Data Protection Law.

1.3 These Joint Controller Terms determine and specify the parties’ respective responsibilities for compliance with Data Protection Laws in relation to the applicable Processing as set out below:

• (a) each party shall be responsible for ensuring it has an appropriate legal basis for its processing;
• (b) Publisher shall be responsible for providing information to Data Subjects regarding the applicable processing undertaken by the parties pursuant to the applicable Service Order, and, in accordance with Publisher’s obligations under clause 3.1 of the DPA, shall ensure that the Publisher Privacy Notice includes appropriate and sufficient information regarding the collection by and transmission to Ozone of Personal Data; and
• (c) without prejudice to Publisher’s obligations under clause 1.3(b) of this Annex, Ozone shall also make the essence of the Joint Controller arrangement between the parties available to Data Subjects by way of the Ozone Privacy Notice.

1.4 The parties shall designate a contact point for Data Subjects and make the details of such contact point available in its respective privacy notice.

Communications

If either party receives any communication from a supervisory authority which relates directly or indirectly to:

• (a) the other party’s processing of Personal Data; or
• (b) a potential failure to comply with Data Protection Laws in relation to the applicable Services,

the receiving party shall, to the extent permitted by Data Protection Laws and Applicable Laws, promptly provide notice of the communication to the other party.

Handling of personal data supplied by or on behalf of publishers

3.1 Ozone shall ensure that any Personal Data supplied by or on behalf of Publisher shall:

• (a) be kept confidential in accordance with the Agreement; and
• (b) only be accessible to its staff to the extent necessary to properly perform its obligations and exercise its rights under the Agreement, who are informed of its confidential nature and the security procedures relating to it, and who are contractually bound to maintain its confidentiality.

Rights of individuals

4.1 The parties acknowledge and agree that Data Subjects may exercise their rights against either of the parties in accordance with the Data Protection Laws. Accordingly, each party shall have in place a process for handling:

• (a) requests that it receives from Users to exercise any of their rights to access, rectify, erase, restrict or object to processing of Personal Data, or to data portability; and
• (b) any other requests, complaints, queries or claims made by a User in relation to the processing of their Personal Data,

(each a “Data Subject Request”) in accordance with Data Protection Laws.

4.2 If a party receives a Data Subject Request concerning Personal Data processed in connection with the Agreement, the receiving party shall respond to that request in accordance with Data Protection Laws.

4.3 If and to the extent that such a Data Subject Request refers to the other party, or where it is otherwise required to enable the other party to comply with its obligations under Data Protection Laws, the receiving party shall promptly, and in any event within seven days after it receives the request, inform the other party of the Data Subject Request and the parties shall cooperate and provide reasonable information and assistance to each other to enable the parties to comply with their respective obligations under Data Protection Laws.

International transfers

Neither party shall transfer any Personal Data to the other party where such other party is located outside of the European Economic Area (EEA) and/or United Kingdom (UK) unless adequate safeguards (including without limitation any applicable and necessary supplemental measures) are implemented in accordance with Data Protection Laws.

General

Where the DPA specifies that the Publisher shall be the Controller and Ozone shall be the Processor in relation to certain processing, then in such cases these Processor Terms shall apply and the parties agree to comply with them.

Ozone obligations

2.1 Ozone shall:

• (a) Only act on the Publisher’s documented instructions unless otherwise required by Data Protection Law to which Ozone is subject, and Ozone shall immediately inform the Publisher if, in Ozone’s opinion, an instruction infringes applicable Data Protection Laws;
• (b) Ensure that Ozone’s employees, officers, agents, sub-contractors and/or authorised representatives authorised to Process the applicable Personal Data are subject to a contractual duty of confidentiality in relation to the applicable Processing;
• (c) Maintain and implement appropriate technical and organisational measures to protect the applicable Personal Data against any data breach or other form of unlawful processing, loss, or destruction (including, as appropriate, measures pursuant to Article 32 of the EU and/or UK GDPR);
• (d) Assist the Publisher by appropriate technical and organisational measures in responding to, and complying with, data subject requests;
• (e) Provide such assistance as the Publisher may reasonably require to allow it to comply with its obligations under Articles 32 to 36 (inclusive) of the EU and/or UK GDPR (and analogous obligations contained in the Data Protection Laws) in relation to the applicable Personal Data; and
• (f) Provide the Publisher with all information required to demonstrate compliance with the obligations in this Annex, and submit to annual audits and inspections of systems and processes which are relevant to the Processing of the Personal Data under this Annex, as may be conducted by it or by a third-party auditor mandated by it, provided that: (i) Ozone shall be compensated for its costs and expenses in relation to such audit, (ii) reasonable advance notice shall be given in respect of any such audit, (iii) any such audit shall only be conducted during Ozone’s normal business hours, (iv) any such audit shall be conducted to cause minimal disruption to the Ozone’s business operations, (v) no access shall be given to Ozone’s confidential information or any information relating to Ozone’s Other Publishers and/or financial data, and (vi) any third party auditor shall enter into confidentiality obligations directly with Ozone which are reasonably acceptable to Ozone.

Publishers obligations

3.1 The Publisher shall ensure that:

• (a) the supply and/or making available to Ozone of the applicable Personal Data for the purposes of Processing undertaken by Ozone as part of the applicable Services and its permitted further Processors, where such Processing is authorised by the Publisher, shall comply with the Data Protection Laws; and
• (b) the instructions given by the Publisher to Ozone comply with the Data Protection Laws.

3.2 Where, by operation of clause 2.1 of this Annex, Ozone is obliged to provide assistance to the Publisher, or to third parties at its request (including submission to an audit or inspection and/or the provision of information), such assistance shall be provided at the Publisher’s sole cost and expense, except where such assistance directly arises from Ozone’s breach of its obligations under this Annex, in which event the costs of such assistance shall be borne by Ozone.

Further processors

4.1 Notwithstanding any other provision of the Agreement, Ozone shall be entitled to appoint further Processors to Process the applicable Personal Data, subject to the following conditions:

• (a) Ozone shall notify the Publisher in writing (email sufficient) of its intention to engage such further Processors. Such notice shall give details of the identity of such further Processor and the services to be supplied by it;
• (b) The Publisher shall be deemed to have approved the engagement of the further Processor if it has not served on Ozone a notice in writing (email sufficient) objecting (acting reasonably) to such appointment within 14 days of the date of such notice.
• (c) In the event that the Publisher objects to any such appointment, Ozone and/or the Publisher shall be entitled to terminate with immediate effect the Agreement or any affected part of the Agreement.

4.2 Where Ozone engages another Processor for carrying out specific processing activities on behalf of the Publisher pursuant to this Annex, materially equivalent data protection obligations as set out in this Annex shall be imposed on that other Processor. Where that other Processor fails to fulfil its data protection obligations, Ozone shall remain fully liable to the Publisher, subject to the limitations and exclusions of liability set out in the Agreement, for the performance of that other Processor’s obligations.

4.3 Ozone shall only use Processors outside of the European Economic Area (EEA) and/or United Kingdom (UK) provided that adequate safeguards are implemented in accordance with Data Protection Laws (including without limitation any applicable and necessary supplemental measures).